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Abstract — Cloud computing is a revolutionary computing 
paradigm which enables flexible, on-demand and low-cost usage 
of computing resources. Those advantages, ironically, are the 
causes of security and privacy problems, which emerge because 
the data owned by different users are stored in some cloud servers 
instead of under their own control. To deal with security prob- 
lems, various schemes based on the Attribute-Based Encryption 
have been proposed recently. However, the privacy problem of 
cloud computing is yet to be solved. This paper presents an 
anonymous privilege control scheme AnonyControl to address not 
only the data privacy problem in a cloud storage, but also the 
user identity privacy issues in existing access control schemes. 
By using multiple authorities in cloud computing system, our 
proposed scheme achieves anonymous cloud data access and fine- 
grained privilege control. Our security proof and performance 
analysis shows that AnonyControl is both secure and efficient for 
cloud computing environment. 

I. Introduction 

Cloud computing is a new concept of computing technique, 
by which computer resources are provided dynamically via 
Internet. It attracts considerable attention and interest from 
both academia and industry. However, it also has at least three 
challenges that must be handled before applied to our real life. 
First of all, data confidentiality should be guaranteed. When 
sensitive information is stored in cloud servers, which is out of 
users' control in most cases, risks would rise dramatically. The 
servers might illegally inspect users' data and access sensitive 
information. On the other hand, unauthorized users may also 
be able to intercept someone's data (e.g. server compromise). 
Secondly, personal information (defined by a user's atttibutes) 
is at risk because one's identity is authenticated according 
to his information. As people are becoming more concerned 
about their privacy these days, the privacy-preservability is 
very important. Preferably, any authority or server alone 
should not know any client's personal information. Last but 
not least, the cloud computing system should be resilient in 
the case of security breach in which some part of the system 
is compromised by attackers. 

In fact, various techniques have been proposed and/or 
used to address the aforementioned problems. Identity -based 
encryption (IBE) was first introduced by Shamir in 1985 [fl]. 
In the IBE, the sender of a message can specify an identity 
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such that only a receiver with matching identity can decrypt 
it. This is different from Public-key Encryption, in that the 
encrypter does not need to issue extra key to decrypter for 
each ciphertext. In the IBE, the private key, which contains 
the identity of the holder, is distributed to every user only 
once when he joins the systtem. 

Few years later, Sahai and Waters proposed a new type 
of IBE - Fuzzy Identity-Based Encryption [2j, which is also 
known as Attribute-Based Encryption(ABE). In their work, an 
identity is viewed as a set of descriptive attributes. Different 
from the IBE, where the decrypter could decrypt the message 
if and only if his identity is exactly the same as what specified 
by the encrypter, this fuzzy IBE enables the decryption if 
there are 'identity overlaps' exceeding a pre-set threshold 
between the one specified by encrypter and the one belongs 
to decrypter. However, this kind of threshold-based scheme 
was limited for designing more general system because the 
threshold based semantic cannot express a general condition. 

Before long, more general tree-based ABE schemes, 
Key-Policy Attribute-Based Encryption (KP-ABE) [3j and 
Ciphertext-Policy Attribute-Based Encryption (CP- ABE) 0], 
are proposed by Goyal et al. and Bethencourt et al. respec- 
tively to overcome the aforementioned drawback of fuzzy IBE. 
They look similar, but ciphertext and key structures are totally 
different, and the decision of encryption policy (who can or 
cannot decrypt the message) is made by different parties. 

In the KP-ABE |3j, a ciphertext is associated with a 
set of atnibutes, which partially represents the ciphertext's 
encryption policy. A private key is associated with a monotonic 
access structure like a tree, which describes this user's identity 
(e.g. IIT AND (Ph.D OR Master)). A user can decrypt the 
ciphertext if and only if the access tree in his private key 
is satisfied by the attributes in the ciphertext. However, the 
encryption policy is described in the keys, so the encrypter 
does not have entire control over the encryption policy (who 
has access to the data and who does not). He has to trust 
that the key generators issue correct keys to correct users. 
Furthermore, when a re-encryption occurs, all of the users in 
the same system must have their private keys re-issued so as 
to gain access to the re-encrypted files, and this process causes 
considerable problems in implementation. On the other hand, 
those problems and overhead are all solved in the CP-ABE 
J4). In the CP- ABE, ciphertexts are created with an access 
structure, which specifies the encryption policy, and private 
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keys are generated according to users' attributes. A user can 
decrypt the ciphertext if and only if his attributes in the private 
key satisfy the access tree specified in the ciphertext. By 
doing so, the encrypter holds the ultimate authority about the 
encryption policy. Also, the already issued private keys will 
never be modified unless the whole system crashes and the 
system's master key is lost. 

In 0, (6), Chase introduced a multi-authority system, where 
each user has an ID and they can interact with each key 
generator (authority) using different pseudonyms. One user's 
different pseudonyms are tied to his private key, but key 
generators never know about the private keys, and thus they are 
not able to link multiple pseudonyms belonging to the same 
user. In fact they are even not able to distinguish the same 
user in different transactions. Also, the whole attributes set 
is divided into N disjoint sets and managed by N attributes 
authorities. That is, an attribute authority will only issue key 
components which it is in charge of. In this setting, even if an 
authority successfully guesses a user's ID, it knows only parts 
of the user's attributes, which are not enough to figure out 
the user's identity. However, the scheme proposed by Chase 
et al. ||6l considered the basic threshold-based ABE, which 
is mentioned at the beginning of this section, and thus lacks 
expressibility in terms of encryption policy. 

In addition, many similar literature works iTTI — tTTTI have 
been published to create more advanced schemes where data 
needs to be securely and efficiently protected, which in turn 
served as the base of the research on security protocol in 
cloud computing environment lfT2l - |fT31 . However, much less 
effort is paid to protect users' privacy during those interactive 
protocols. Users' identities, which are described with their 
attributes, are generally opened to key generators, and the 
generators issue private keys according to their attributes. 
But it seems natural that users might want to keep their 
identities secret while they still get their private keys. Lewko's 
work ITT1 is the most similar one to ours in that they also 
tried to decentralize the central authority in the CP-ABE into 
multiple ones. They use a LSSS matrix as an access structure, 
but their scheme only converts the AND, OR gates to the 
LSSS matrix while we inherit the flexibility of the access tree 
having threshold gates. In addition, our system tolerates the 
compromise attack towards attributes authorities, which is not 
covered in many existing works. 

The main contributions of this paper are: 

1) The proposed scheme is able to protect user's privacy 
against each single authority. 

2) The proposed scheme is tolerant against authority com- 
promise, and compromising of up to (N — 2) authorities 
does not bring the whole system down. 

3) We provide detailed analysis on security and performance 
to show feasibility of our scheme. 

4) We first implement the real toolkit of multi-authority 
based encryption scheme. 



II. Preliminaries & Related Work 

A. Preliminaries 

Let Go be a multiplicative cyclic group of prime order p and 
g be its generator. The bilinear map e is defined as follows: 
e : Go x Go — > Gt, where Gt is the codomain of e. The 
bilinear map e has the following properties: 

• Bilinearity: Vu,w £ Go and a,b £ Z p , e(u a ,v b ) = 
e(u,v) ab . 

• Symmetry: for all u,v £ Go, e(u, v) — e(v, u). 

• Non-degeneracy: e(<?,g) =/= 1. 

Definition 1. The Decisional Diffie-Helhnan (DDH) problem 
in group Go of prime order p with generator g is defined as 
follows: on input g, g a , g b , g c = g ab £ Go, where a,b,c £ 1 p , 
decide whether c = ab or c is a random element. 

Definition 2. The Decisional Bilinear Diffie-Hellman (DBDH) 
problem in group Go of prime order p with generator g is 
defined as follows: on input g, g a , g b , g c £ Go and e(g, g) z = 
e(g,g) abc £ Gt, where a,b,c £ Z p , decide whether z = abc 
or z is a random element. 

The security of many ABE schemes (e.g. @), 03), ED, 
ifTTll ) and ours rely on the assumption that no probabilistic 
polynomial-time algorithms can solve the DDH and DBDH 
problem with non-negligible advantage. This assumption is 
reasonable since discrete logarithm problems in large number 
field are widely considered to be intractable ( lUsH - lETI ). and 
therefore a is not deducible from g a even if g is publicly 
known. 

We also define the Lagrange coefficient A^s for i £ 7L V and 
a set, S, of elements in Z p : A; : s(a;) := Yijes j^i T^j ' which 
will be used in the polynomial interpolation in decryption 
algorithm to recover the secretly shared values. Additionally, 
a one-way hash function H : {0, 1}* — > Go is also defined 
as a random oracle. This will map any attribute value to a 
random element in Z p (same attribute value will be mapped 
to the same element). 

B. CP-ABE 

The idea of Attribute-Based Encryption (ABE) was first 
proposed by Sahai and Waters J2]. On the contrary to the 
traditional identity-based encryption, a user is able to decrypt 
a ciphertext if there is some match between his private key 
and ciphertext in the ABE. However, due to its lack of 
expressibility and generalization, it was later extended to the 
Key-Policy ABE by Goyal et al. Q and the Ciphertext-Policy 
ABE by Bethencourt et al. J4). Our scheme chooses CP- ABE 
as the base due to its advantages mentioned in the Section Q] 

In the CP-ABE, the private key is distributed to users by 
a trusted central issuer only once. The keys are identified 
with a set of descriptive attributes, and the encrypter specifies 
an encryption policy using an access tree so that those with 
private keys which satisfy it can decrypt the ciphertext. 

C. Privilege Trees T p 

In most of previous works J3), J4], lfl4l . encryption policy 
is described with a tree called access tree. Each non-leaf node 
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of the tree is a threshold gate, and each leaf node is described 
by an attribute. One access tree is required in every data file to 
define the encryption policy. In this paper, we extend existing 
schemes by generalizing the access tree to a privilege tree. 
The privilege in our scheme is defined as follows. A data file 
has several operations executable on itself, but some of them 
should be restricted only to authorized users. For example, 
{Readjnine, Read_all, Delete, Modify, Create} is a privileges 
set of students' grades. Then, reading Alice's grades is allowed 
to her and her professors, but all other privileges should be 
authorized only to the professors, so we need to grant the 
"Readjnine" to Alice and all other to the professors. 

Every operation is associated with one privilege p, which is 
described by a privilege tree T p . If a user's attributes satisfy T p , 
he is granted the privilege p. By doing so, we not only control 
the file access but also control other executable operations, 
which makes the file controlling fine-grained and thus suitable 
for cloud storage service. 

In our scheme, several trees are required in every data file to 
verify users' identity and to grant him a privilege accordingly. 
There are supposed to be r these kind of structures, which 
means there are r different privileges defined for the corre- 
sponding data file. The privilege is defined as the privilege 
to read the file, and other privileges may be defined arbitrarily 
(the m privilege does not necessarily have more powerful 
privilege than the n th one when m > n). The tree is similar 
to the one defined in J4). Given a tree, if num x is the number 
of the node x's children node and k x is its threshold value 

< k x < num x , then node x is assigned a true value if at least 
k x children nodes have been assigned true value. Specially, 
the node becomes an OR gate when k x = 1 and an AND gate 
when k x = num x . 

Several subsidiary functions are to be mentioned for conve- 
nience. We denote the parent of a node x by parent(x), and 
the attribute value of a leaf node x by att(x). Furthermore, 
the privilege tree T p also defines the order between children 
of every node, and the numbers associated with node x, from 

1 to num x , are denoted by index(x). 

TABLE I 
Notations for privilege trees 





p tl1 privilege tree representing the p ttl 


privilege 


fox 


threshold value of the node x 




num x 


number of x's child nodes 




att(x) 


attribute value of the node x, if it is a 


leaf node 


index(x) 


index of the x's child nodes 




parent(x) 


node x's parent node 





D. Satisfying the Privilege Tree 

If a user's attributes set S satisfies the privilege tree T p or the 
node x, we define it as T p (S) = 1 or x(S) = 1 respectively. 
T p (S) is calculated recursively as follows. If x is a leaf node, 
x(S) = 1 if and only if att(x) € S. If x is a non-leaf node, 
x(S) = 1 only when at least k x child nodes return 1. For the 
root node R p of T p , T p (S) = 1 only if R p (S) = 1. 

Figure Q] shows an example of the privilege tree T p for 
deleting the file. For an instance, if a user's attributes set is 




Professor Ph.D Chinese American 
Fig. 1. An example of a privilege tree. 

{Sex:Male, Age:23, Nationality:Chinese, University:Tsinghua 
University, Position:Ph.D Student, Religion:None}, he satisfies 
the tree, and thus achieving the corresponding privilege (here 
it means he can delete the file). 

III. Definitions of our scheme 

A. System Model 

In our system, there are four types of entities: N Attribute 
Authorities (denoted as A), Cloud Server, Data Owners and 
Data Consumers. A user can be a Data Owner and a Data 
Consumer simultaneously. 




Cloud Servers 



Fig. 2. Our system model 

Authorities are assumed to have powerful computation 
abilities, who are supervised by government offices since 
keys act as IDs and partially contain users' PII (Personally 
Identifiable Information). The whole attribute set is divided 
into TV disjoint sets and controlled by each authority. One 
practical method to divide the attributes set is to divide them 
by category (e.g., {Sex: Male, Female}, {Nationality: Korean, 
Chinese, Japanese}, {University: Tsinghua, Peking Univer- 
sity}, {Position: Professor, Ph.D Student, Master Student}). 
In this way, since each authority is aware of only one type 
of attribute, no useful information is leaked. The authorities 
jointly compute a system-wide public key, and individually 
compute their master keys at the initialization phase. The 
public key is used for all operations within the system, and 
the master keys are used by each attribute authority when he 
generates private keys for Data Consumers. 

A Data Owner achieves public key from any one of the 
authorities, and he uses the public key to encrypt the data 
file before outsourcing it to the Cloud Servers. The Cloud 
Server, who is assumed to have adequate storage capacity, 
does nothing but store them. 

Newly joined Data Consumers request private keys from all 
of the authorities, and they do not know which attributes are 
controlled by the authorities. On the other hand, authorities 
do not know which Data Consumers are interacting with them 
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because each of them knows only a part of Data Consumers' 
attributes. When the Data Consumers request their private keys 
from the authorities, authorities jointly create corresponding 
private key and send it to them. 

All Data Consumers are able to download any of those data 
files, but only those whose private keys satisfy the privilege 
tree T p can execute the operation associated with privilege 
p. When a user wants to execute a specific operation upon 
a data, he should satisfy the relevant privilege tree T p and 
gets verified by the Cloud Server. The server is delegated to 
execute an operation p if and only if the user's privilege is 
verified through the privilege tree T p . 

B. Threats Model 

We assume the Cloud Servers are untrusted, who behave 
properly in most of time but may collude with malicious Data 
Consumers or Data Owners to harvest others' file contents to 
gain illegal profits. But they are also assumed to gain legal 
benefit when users' requests are correctly processed, which 
means they will follow the protocol in general. In addition, 
even if the Cloud Server illegally modifies data files for sake 
of monetary benefits (e.g. deleting rarely accessed files to save 
the storage), whether the data is intact can be detected by the 
TPA technique introduced in J22). 

The N authorities are assumed to be semi-honest. That is, 
they will follow our proposed protocol in general, but try to 
find out as much information as possible individually. More 
specifically, we assume they are interested in users' attributes 
to achieve the identities, but they will never collude with 
any user or authority to harvest file contents even if it is 
highly beneficial. This assumption is similar to many previous 
researches on security issue in cloud computing (e.g. Ifl4l . 
ll22l - lF24l '). and it is also reasonable since these authorities 
will be audited by government offices. 

Data Consumers are untrustful since they are random users 
including attackers. They may collude with other Data Con- 
sumers to access what not allowed for them. 

C. Design Goal 

Our goal is to help Data Owners securely share their data 
with Data Consumers, where fine-grained privilege control 
is achievable, and to guarantee the confidentiality of Data 
Consumers' identity information by decomposing a center 
authority to multiple ones while preserving tolerance to com- 
promise attacks on the authorities. We assume the identity 
information is not disclosed by the underlying network. This 
can be achieved by employing anonymized protocols (e.g., 

E3). 

In the rest of this paper, A 11 is used to denote the attributes 
set of a user u. Ak is used to denote the attribute authority 
k, and we also use a subscript k to denote the attributes set 

D. Dejjm7ion k of our Multi-Authority CP-ABE 

Setup -> PK,MK fc : 

This algorithm takes nothing as input. Attributes authorities 
execute this algorithm to jointly compute a system-wide public 



TABLE II 

Notations for System Construction 



Attribute Authorities 




k 


index of an attribute authority 


A k 


the k th attribute authority 


Sfcj 


secret parameter for compromise tolerance 


Data Owner 




u 


a user (either Data Owner or Data Consumer) 


A u 


attributes set of user u 


A t p 


attributes set included in tree T p 


K e 


symmetric encryption/decryption key 



parameter PK, authority-wide public parameter yk and to 
individually compute master keys MKfc. 
KeyGenerate(PK, MK k , A", GID„) ->• SK„: 

This algorithm enables a user to interact with every attribute 
authority, and obtains a private key SK U corresponding to 
the input attribute set A" and his global ID GID U . From 
the authorities' perspective, the algorithm enables them to 
jointly generate a private key SK U , using the public key 
PK and master keys MK&, according to the input A" and 
a pseudonym nymcm„, which is created according to the 
GID U . Authorities are not able to derive a user's GID U based 
on the pseudonym ii)/mGiD„ ■ 
Encrypt(PK, M, {T p } pe ^.. , r _ 1} ) -> (CT,VR): 

This algorithm takes as input the public key PK, a message 
M, and a set of privilege trees {T p } pe { 0t ... . r _i}, where r is 
determined by the encrypter. It will encrypt the message M 
and returns a ciphertext CT and a verification set VR so that 
a user can execute specific operation on the ciphertext if and 
only if his attributes satisfy the corresponding privilege tree 
T p . As we defined, To stands for the privilege to read the file. 
Decrypt(PK, SK U , CT) M or verification parameter: 

This algorithm will be used at file controlling (e.g. reading, 
modification, deletion). It takes as input the public key PK, 
a ciphertext CT, and a private key SK„, which has a set 
of attributes A" and corresponds to its holder's GID U . If 
the set A" satisfies any tree in the set {T p } pe ^ ... ir _i}, the 
algorithm returns a message M or a verification parameter. 
If the verification parameter is successfully verified by Cloud 
Servers, who use VR to verify it, the operation request will 
be processed. 

ReEncrypt(PK, CT, SK U , {r;}) CT', VR': 

This algorithm is barely a composition of the decryption and 
the encryption algorithm. It takes as input the public key PK, 
a private key SK U , a ciphertext CT, and a set of new privilege 
trees {T p } p£ ^ ... . r _i}. If the set A" in SK U satisfies To (to 
obtain the original message M first) and Tk (privilege k is the 
one for re-encryption), the algorithm re-encrypts the original 
message M under new set of privilege trees and returns a new 
ciphertext CT' and a new verification set VR' 

IV. Our AnonyControl Scheme 

A. Setup 

At the system initialization phase, any one of the authorities 
chooses a bilinear group Go of prime order p with generator 
g and publishes it. Then, all authorities independently and 
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randomly picks Vk £ Z p and send Yk 



other authorities who individually compute Y := YlkeA *k 



e{g,gY» to all 

■ 

Then, every authority Ak randomly picks N — 1 integers 
Skj £ € {1, • • ■ , and computes g Sk i . Each g" k i 

is shared with each other authority Aj An authority Ak, after 
receiving N — 1 pieces of j 8 ^* generated by .Aj, computes its 
secret parameter Xk £ Z< p as follows: 

j G {i,...,jv}\{fe} je{i,-,JV}\{fc} 
( E s *3- E s jfc) 

= g 36{1,--- ,«}\{fc} - ,«}\{fc} 

It is easy to see that these randomly produced integers 
satisfy Jlfeeyt Xk ~ ^ m °d P- This is an important property 
which achieves compromise attack tolerance for our scheme, 
which will be discussed in the next section. 

Then, the master key for the authority Ak is MK^ = 
{vk,Xk}, and public key of the whole system is published 
as PK = {G ,s,y = e(s,s)2>*}. 

Note that the time complexity of the setup computation is 
0(N 2 ) since every authority computes N — 1 pieces of g Skj . 
However, this can be further reduced to O(N) by applying the 
following simple trick. We first cluster the authorities into C 
clusters, and exchanges the parameters within the cluster only. 
Then, the time complexity is reduced to 0(CN) = O(N) 
since C is a constant. Yet, this trick will also relax our 
compromise tolerance also. We will further discuss the trade- 
off between time complexity and compromise attack tolerance 
in the Section [V] 

B. Key Gene ratefPK, MK k , A u ) 

When a new user u with GID„ wants to join the system, he 
requests the private key from all of the authorities by following 
this process which is composed of two phases. 

1) Attribute Key Generation: For any attribute i £ A", 
every Ak randomly picks r, £ Z p to individually compute 
the partial private key 

H(att(i)y*,D , i =g" 

Then, all of the authorities randomly picks dk £ 1 V (dk for 
Ak) and compute Xk ■ g Vk ■ g dk and share it with others. 

Then, authorities merge the partial private keys by comput- 
ing the following: (this can be individually done by any one 
of the authorities) 

D = Y[x k g Vk g dk = g^ Vk +^ dk 

Di = H(att{i)) r ' -Y[g dk = H(att(i)) ri ■ g^ d ^ 

At the end, the D, Di's and D'/s are sent to the user u. 

2) Key Aggregation: User u, after receiving ZVs and D'/s, 
aggregates the components as his private key: 

SK„ = {D,Vi e A" : B l = g^ d ^ ■ H(att(i)) r ' ,D' t = g r *} 



s p . Then, it chooses other numbers so 

%arent(x)(index{x)) and 



C. Encrypt(PK, M, {T p } pe{0i ... >r _ 1}j ) 

Encryption must be done before Data Owners upload their 
data files to the Cloud Server. At first, he randomly selects 
a symmetric data encryption key K e and encrypts the data 
file with it using any symmetric encryption scheme (e.g., 
256-bit AES). Then, he determines a set of privilege trees 
{T p } pe iQ ... , r _i} and executes Encrypt(PK., K e , {T p }). For 
each T p , the algorithm first chooses a polynomial q x for each 
node x in it. For each node x, sets the degree d x of the 
polynomial q x as one less than the threshold value k x . Starting 
from the root node R p , the algorithm randomly picks s p £ Z p 
and sets qR p (0) 

that for any other node x, q x (0) 
randomly defines the q x too. 

Here, Shamir's secret sharing technique [26 1 is directly used 
to implement the threshold gate. Shamir's <-out of-rt secret 
share scheme allows one to divide a secret to n shares, and 
the original secret can be recovered with t of them. So, in our 
tree, the node value of the gate is recovered if and only if at 
least k x values of children nodes are recovered in recursive 
manner. 

Finally, the ciphertext CT is created as 

CT = ({T p } pe{0 ,... ir _ 1} ,£:o = Ke ■ y S0 , 

{Ci=^°\Ci = H(ott(<))* (0) } igA ^ 1 Vp g {0 1 ...,r-l}> 

In the CT above, Eq contains the symmetric key for 
decryption, and Cj's and C-'s represent the attribute values 
in the specified privilege trees. 

Then, VR, which is disclosed only to the Cloud Server, is 
created for the purpose of privilege verification. 

VR=({£ p = ^} p£{1 ,..,_ 1} ) 

Finally, Data Owner selects a unique ID for this encrypted 
data file and sends CT, VR and the encrypted file to the 
Cloud Server to share them with other Data Consumers. 

Encrypted Data File 

(a) seen from the data consumers' perspective. 



ID 


CT 


VR 


Encrypted Data File 



(b) seen from the server's perspective. 
Fig. 3. A data file stored on the cloud. 

D. Decrypt(PK, SK„, CTJ 

Every user within the system can download the ci- 
phertext from the Cloud Server, but he is able to exe- 
cute operations upon encrypted data only after he success- 
fully decrypts it. Firstly, we define a recursive algorithm 
DecryptNode(CT, SK U , x), where x stands for a node in 
the privilege tree T p . If the node a; is a leaf node, we let i be 
the attribute of the node x and define as follows. If i £ A", 



e(Di 1 C £ ) 



DecryptNode(CT, SK u ,i) 

e(g Edfc -g(^«r-.g gx(0) ) - e ( a a )(E4)-!.(0) 
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If not, we define Decrypt Node(CT , SK„,i) := _L. 

If x is not a leaf node, the algorithm proceeds as fol- 
lows: For all nodes z that are children of x, it calls 
Decrypt Node(CT, SK„, z) and stores the output as F z . Let 
5 X be an arbitrary fc x -sized set of child nodes z such that 
F z ^ 0. If no such set exists then the node was not satisfied 
and the algorithm returns _L. Otherwise, compute 



F, 



(0) 



where 



d = index(z) 
S' x = index(z) : z € S x 



= n(e(ff^) (Edfe) ' &(o) ) Ad ' si(o) 

= JJ(e07,(7)C*)-9,.™. lw C«0)A 4 . fli (o) 
= II (e07,a)E*)-9.(«0)^,fli(o) 



2£S 2 

= e (.9> gr) (°J (using polynomial interpolation) 

The interpolation above recovers the parent node's value by 
calculating coefficients of the polynomial and evaluating the 
p(0). We direct the readers to ||261 for complete calculation. 
A user recursively calls this algorithm, starting from the root 
node Rp of the tree T p , after downloading the file. If the tree 
is satisfied, which means he is granted the privilege p, then 

DecryptNode(CT, SK U , R p ) = e{g,g) s "^ dk 

Finally, if the user is trying to read the file, the symmetric 
encryption key K e can be recovered by: 

E K e ■ Y s ° 



Then, the data file can be decrypted by using it. Otherwise, he 
should be verified as an authorized user for the operation first. 
If the operation requires the j th privilege, the user recursively 
calls Decrypt(CT, SK U , x) starting from the root node Rj of 
the tree Tj to get e(g, g) Sj ^ dk and further achieve Y Sj with 
the same equation as above. The user sends it to the Cloud 
Server as well as the operation request. The Cloud Server 
checks whether Y Sj = Ej, and proceeds if they do equal each 
other. In fact, Y Sj should be encrypted to avoid replay attack. 
This can be simply implemented by introducing any public 
key encryption protocol. 

E. ReEncrypt(PK, CT, SK„, {T;} pe{0 ,... >r _ 1} J 

In real applications in a cloud storage system, users might 
be revoked due to some reasons (e.g., resignation from a 
company). In this case, we need to re-encrypt the files to avoid 
unauthorized access by revoked users, the users who satisfy 
certain properties for revocation (e.g., resignation). When they 
are revoked, they should not access the data files or execute 
other operations on them. An authorized user with the privilege 
to re-encrypt the associated file (note that this user might not 
be limited to the Data Owner) decrypts it first, and randomly 
selects another symmetric encryption key K' e to re-encrypt 
it. Then, he determines subtrees which forbid revoked users' 



access but still enables other unrelated users' one, and adds 
these subtrees into the original {T p } to gain new privilege set 
{T p }. Then, ReEncrypt(PK, CT, SK U , {T p }) is executed 
to obtain new CT' and VT'. 




Professor Ph.D Chinese American 



Revoked Users: 
Male 
Chinese 
Professor 



Other Users 1 : 
Male 
American 
Ph.D 



Revoked Users: 
Female 
Chinese 
Professor 



Fig. 4. An example of privilege tree after the re-encryption 

FigurejH shows a new tree T p after a re-encryption. As- 
suming that there are only three users within the system, 
who are described in Figurej4] and the 'Revoked User' is 
revoked, the subtree may indicate the attribute condition as 
(Chinese V Ph.D Student). 

V. Security Analysis 

A. User's Identity Information Confidentiality 

The attributes, which contain a user's identity information, 
are separately controlled by different attribute authorities. 
Therefore, a user's attributes information is securely protected. 

B. Trade-off between Tolerance and Complexity 

In the proposed scheme, an authority Ak generates a set 
of random secret parameters {s/y} and shares it with other 
authorities, and the Xk is computed based on this parameters. 
Even if an adversary is able to compromise up to (N — 2) 
authorities, there are still two parameters kept unknown to 
the adversary. So, the adversary is not able to guess the valid 
g^ Vk , and he fails to construct a valid secret key. Hence, 
the scheme achieves compromise tolerance to up to (N — 2) 
authorities compromise. 

But, if we reduce the time complexity of the setup phase by 
dividing authorities into several clusters having C authorities 
in each, attackers can compromise C— 1 authorities in a cluster 
to create valid master keys of that cluster. Therefore, there is 
a trade-off between tolerance and complexity. However, since 
the number of authorities is typically not very huge, and the 
setup is one-time operation at the very beginning of the system 
setup, we recommend using the original setup algorithm whose 
complexity is 0(N 2 ). 

Finally, note that the compromised authorities are able to 
issue valid attribute keys for which they are in charge of, so 
the ciphertexts whose privilege trees have only those attributes 
might be illegally decrypted if the attacker issue all possible 
attribute keys to himself. But, since the authorities are well 
protected servers, it is hard to compromise even one authority, 
and the probability of compromising enough authorities to 
illegally decrypt some ciphertext is very low. 
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C. Data Confidentiality against Collusion Attack 

In order to access a plaintext, attackers must recover 
Y s ° = e(g, g) s °^ Vk , which can be recovered only if the 
attackers have enough attributes to satisfy the tree To. When 
two different keys' components are combined, the combined 
key cannot go through the polynomial interpolation in the 
decryption algorithm due to the randomization. Therefore, at 
least one key should be valid to satisfy the privilege tree. 

Security Model for AnonyControl construction 

W.L.O.G., we assume there is only one privilege tree To, 
which represents the privilege for reading, in the privilege set 
of CT. This assumption does not affect the security proof 
since we can easily extend the model to have several trees 
in CT. Next we show our scheme is secure against chosen 
plaintext attacks (CPA) if all probabilistic polynomial-time 
adversaries have negligible advantages in this game. 

I nit The adversary declares a privilege tree Tq, which he 
wants to be challenged. 

Setup The challenger runs the Setup algorithm of our 

construction and publishes PK to the adversary. 

Phase 1 The adversary queries for as many private keys, 

which correspond to attribute sets Ai,--- ,A q , as he wants, 

where none of these keys satisfy the Tq above. 

Challenge The adversary submits two messages Mo and M\ 

of equal size to the challenger. The challenger flips a random 

binary coin b and encrypts Mb with Tq. The ciphertext CT* 

is given to the adversary. 

Phase 2 Phase 1 is repeated adaptively. 

Guess The adversary outputs a guess b' of b. 

The advantage of an adversary A in this game is defined as 
Pr[6' = b] — i. We note that the model can easily be extended 
to handle chosen-ciphertext attacks by allowing for decryption 
queries in Phase 1 and Phase 2. 

Here we prove that the security of our scheme in the 
security model above reduces to the intractability of the DBDH 
problem. 

Definition 3. Our scheme is secure against CPA if all 
polynomial-time adversaries have at most a negligible advan- 
tage in the above game. 

Theorem V.l. If an adversary can break our scheme in the 
security model above, there exists at least one probabilistic 
polynomial-time algorithm can solve the DBDH problem, 
which is defined in the Section III, with a non-negligible 
advantage. 

Proof: Suppose there exists a probabilistic polynomial- 
time adversary A can attack our scheme in the security model 
above with advantage e. We prove that the following DBDH 
game can be solved with advantage |. 

Let e : Go x Go ^ Gt be a bilinear map, where Go is 
a multiplicative cyclic group of prime order p and g is its 
generator. First the DBDH challenger flips a binary coin /i, and 
he sets {g,A,B,C,Z) := (g , g\ g\ g c , e(g , g) abc ) if (i = 0; 
otherwise he sets (g,A,B,C,Z) := (g,g a ,g b ,g c ,e(g,g) z ), 



where a, b,c,z 6 X p are randomly picked. The challenger 
then gives the simulator (g, A, B, C, Z) = (g, g a , g b , g c , Z). 
The simulator sim then plays the role of a challenger in the 
following DBDH game. 

I nit The adversary A creates a T * which he wants to be 
challenged (Nodes inside the tree should be defined by him). 
Setup sim sets the parameter Y :~ e(A,B) = e(g,g) ab 
and gives this public parameter to A. 

Phase 1 A queries for as many private keys, which 
correspond to attribute sets Ai , • ■ • , A g , as he wants, where 
none of them satisfy the T *. sim, after receiving the key 
queries, computes the components in private keys to respond 
the .A's requests. For all attributes i G A", he randomly picks 
ri G Z p , and computes Di := A ■ H(att(i)) r \D' i := g Ti . 
Then, sim returns the created private key to A. 
Challenge The adversary A submits two challenge messages 
mo and mi to the challenger. The challenger flips a binary coin 
7, and returns the following ciphertext to A. 

CT* = {T*,E = m 1 -Z, 

{C i = g^ \Cl = H(att(i)r(% eATS ) 

If (1 = 0, Z = e(g, g) abc . If we let ab = £ v k and c = s 
(this is possible because i'k,k G {1,2, •■■ , N } and sq are 
all randomly chosen from Z p ), we have Z = e(g,g) abc = 
( e (g,g) ab ) c = Y s °- Therefore, CT* is a valid ciphertext of 
the message m 7 . Otherwise, if (i = 1, Z = e(g, g) z . Then, we 
have Eq = m 1 ■ e (<?,<?) 2 . Since z G Z p is a random element, 
Eq is a random element in Gt from ,4's perspective, therefore 
CT* contains no information about m 1 . 
Phase 2 Repeat Phase 1 adaptively. 

Guess A submits a guess 7' of 7. If 7' = 7, sim outputs 
p! = 0, indicating that it was given a valid DBDH-tuple 
(g, A, S, Z), otherwise it outputs p! = 1, indicating that he 
was given a random 5-element tuple (g, A, B, C, Z). 

As shown in the construction of the game, the simulator 
sim computes the public parameter and the private key in the 
same way as our scheme. When (1=1, the adversary A learns 
no information about 7, so we have Pr[7 7^ j'\p = 1] = i. 
Since the challenger guesses p' = 1 when 7 = 7', we 
have Pi[p' = p\(L = 1] = i. If (i = 0, the adversary A gets 
a valid ciphertext of m 7 . A's advantage in this situation is 
e by definition, so we have Pr[7 = 7'l/i = 0] = | + e. Since 
the challenger guesses // = when 7 = 7', we have 
Pr[/i' = p\p = 0] = h + e. The overall advantage in this 




To conclude, as proved above, the advantage for a 
polynomial-time adversary in the DBDH game is | if the 
advantage for a polynomial-time adversary in our security 
model is e. Therefore, if an adversary can break our scheme 
in our security model, which indicates e is a non-negligible 
advantage, a polynomial-time adversary's advantage, which is 
|, in solving the DBDH problem is also non-negligible. ■ 

Since our scheme relies on the assumption that no proba- 
bilistic polynomial algorithm can solve the DBDH problem 
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TABLE III 

Complexity Comparison (per authority) 



Process 


Yu era/. |12 


Chase et al. (6J 


Ours 


Setup 


o(i) 


0{1) 


O(l) 


Key Generation 


O(X) 


0(N + I) 


0(N + I) 


Encryption 


0{I) 


O(I) 


(X ■ K ) 


Decryption 


0(ma,x(X, I)) 


0(N -I) 


0{X) 


User Revocation 


0(1) 




0(X ■ K) 



with non-negligible advantage, it can be deduced that no 
adversary can break our scheme in our security model. 

VI. Performance Analysis 

In this section, we denote N as the number of attribute 
authorities, / as the size of the entire attribute set and X as 
the number of nodes in a tree T p . 

A. Setup 

When the system is setup, Y[ Yk is computed by any one of 
the authorities and sent to others, whose complexity is O(N). 
Then, secret parameters x^'s are calculated within the clusters. 
The complexity of that calculation is 0(C 2 ■ = 0(C ■ N), 
but C is a constant number, so 0(C ■ N) = O(N). Therefore, 
the total complexity is O(N). However, since we have N 
authorities per system, the complexity per authority is O(l). 

B. Key Generation 

In the Attribute Key Generation, g^ Vj is computed by 
N authorities, and Di = H(att(i)) ri ■ g^ Vj is computed 
for / times by one attribute authority. Therefore, the total 
complexity of Attribute Key Generation is 0(N 2 + I ■ N). 
In the Aggregation of Two Keys, a user aggregates the / 
components, thus the computation complexity of this operation 
is O(I). So, the complexity per authority is 0(N + I). 

C. Encryption 

At every non-leaf node, a polynomial is chosen and k x — 1 
numbers are to be found to determine the polynomial, where 
k x is the threshold value. Therefore, denoting the average 
threshold value to be K,the computation complexity of this 
process is 0(X ■ K). 

D. Decryption 

DecryptNode is a recursive algorithm, and it is executed 
exactly once at every nodes in a Breadth-First-Search manner, 
therefore the computation complexity of this process is O(X). 

E. User Revocation 

This operation has the same complexity as the addition of 
Decryption and EnVlHpt^pilBMB^W(TOPtexity is 0(X ■ K). 

In this section, we give the experimental result of our 
scheme, which is conducted on the prototype of our scheme. 
To the best of our knowledge, this is the first implementation 
of a multi-authority attribute based encryption scheme. Our 
prototype system provides five command line tools, 
anonyabe-setup : Jointly generates a public key and N 
master keys. 



anonyabe-keygen : Generates a part of private key for the 
attribute set it is responsible for. 

anonyabe-enc : Encrypts a file under r privilege trees. 

anonyabe-dec : Decrypts a file if possible. 

anonyabe-rec : Re-encrypts a file under other privilege trees. 

This toolkit is based on the CP-ABE toolkit H which 
is in turn based on PBC library, and the whole system is 
implemented on a linux system with Intel i7 2 nd Gen @ 
2.7GHz and 2GB RAM. 

Figure|5] shows the computation overhead incurred in the 
core algorithms Setup, Key Generation, Encryption and 
Decryption under various conditions. 

Figure |5(a)| shows the system-wide setup time with different 
number of attribute authorities. Figure ]5(b)1 shows the total 
key generation time (system-wide) with different number 
of authorities, and the number of attributes is fixed to 20. 
Figure f5(c)| shows the key generation time with different 
number of attributes in each key, and the number of authorities 
is fixed to 4. Figure [5(d)| shows the encryption and decryption 
time with different number of attributes in To, and we set 
only one privilege for file access to measure the most frequent 
operation, file access. Figure j5(e)| shows the encryption and 
decryption time with different file sizes, where the number of 
attributes in To is fixed to 20. Figure {5(f)| shows the time to 
create a privilege tree and calculate a verification parameter 
Y Sj from it. Obviously, the total time needed to create one 
VR is approximately equal to r • t, where r is the number of 
total privileges and t is the time for creating one tree. 

The Re-encryption is omitted because it is barely a compo- 
sition of Decryption and Encryption. Interestingly, in a series 
of the experiment, the run time of encryption and decryption 
was independent of the tree structure. That is, no matter how 
complicated the tree is, the computation complexity of encryp- 
tion and decryption depends only on the number of nodes in 
the tree, which coincides with the performance analysis table 
in the previous section. Results of other algorithms are just as 
we expected. The graphs generally followed the growth rate 
showed in the performance analysis table above. 

VIII. Conclusion 

This paper proposed an anonymous attribute-based privilege 
control scheme AnonyControl to address the user privacy 
problem in a cloud storage server. Using multiple authorities 
in the cloud computing system, our proposed scheme achieves 
not only fine-grained privilege control, but also anonymity 
while conducting privilege control based on users' identity 
information. More importantly, our system can tolerate up 
to N — 2 authority compromise, which is highly preferable 
especially in Internet-based cloud computing environment. 
Furthermore, although the data contents are fully outsourced 
to Cloud Servers, the Cloud Servers cannot read the contents 
unless their private keys satisfy the privilege tree To. We also 
conducted detailed security and performance analysis which 
shows that AnonyControl is both secure and efficient for cloud 
storage system. 
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Fig. 5. Experiment result on our implemented prototype system 
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